InterfaceThe site has a sleek black interface and is extremely user-friendly. A list of the most recent stolen cards are displayed on the screen, with details such as expiration dates, issuing bank, card type, and country. Customers can see how much money they have in their accounts in the top right corner of the screen and can search for cards to buy. Searches can be as specific as type of card, bank name, and even the country the card was issued. Customers can also request additional types of personal information, such as email address, dates of birth, and phone numbers.

The store also provides the "validity rate" for each batch of cards being stolen. This refers to the percentage of cards in the package which are still valid and had not yet been canceled.

Users fund their ValidShop accounts by linking their BitCoin wallets. Other payment options are available, but for obvious reasons, Visa and Mastercard are not accepted.

"The shopping experience is great if you are a bad guy," Ingevaldson said.

ValidityIt's believed that 40 million payment card details were stolen in the breach at Target. "We haven't seen 40 million hit [carder sites] yet," Ingevaldson said. While the thieves want to move the stolen cards as soon as possible, they also understand basic economics. If they dumped all 40 million at once, that would glut the market with too many cards and drive down prices. Instead, the stolen cards are appearing in smaller batches of several million at a time.

There is a narrow window between when the card data is stolen and when the issuing bank cancels the card because of theft. Even so, it was surprising how high the validity rates were even months after the breach was discovered. Cards from the Target breach that appeared on the site in late January had a 83 percent validity rate, compared to 60 percent for the batch dumped in mid-February. Criminals don't need all the cards in the package to be valid to make money. They can spend hundreds of dollars to buy the data and make thousands per card, Ingevaldson said.

MonitoringEasy Solutions can use the BIN (Bank Identification Number) prefix, the zip code, and some other information to identify which cards were stolen from which stores, Ingevaldson said. The company monitors carder sites and if there is a spike in the number of cards being dumped with similar information, it's a fairly clear indicator "something big" had just happened.

While plugging the zip code into the store locator tool on various retailer sites is an "educated speculation," Easy Solutions can track down which stores have been breached with a fairly strong degree of certainty, he said.

One thing is clear from monitoring the carder forums: These operators are "not afraid of prosecution," Ingevaldson said, noting that for these thieves, credit card theft is their 9-to-5 job. "This is what they do," he said..

About the Author

Fahmida Y. Rashid is a senior analyst for business at PCMag.com. She focuses on ways businesses can use technology to work efficiently and easily. She is paranoid about security and privacy, and considers security implications when evaluating business technology. She has written for eWEEK, Dark Reading, and SecurityWeek covering security, core Inte... See Full Bio

Get Our Best Stories!

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.